WebDAV

ISPConfig versus Certbot Updates

by

Dave
in

Well this was a little break in the day; I have a client using ISPConfig (and I updated the instructions for that as well, you can find them here) to look after various aspects of their internet presence and whilst it doesn’t change very much, every now and then they like to add sites or email domains. ISPConfig was setup to use Letsencrypt and up until very recently that was not really a problem.

Certbot upgraded to 0.31.0 in accordance with the changeovers; beyond that I didn’t think much about it. Why would I? There were no advisements issued with the upgrades, just a note saying unless you’re using api v2 everything would stop working.

Interestingly, a week or so later I got a call saying “It no longer lets me set SSL with LetsEncrypt”. I tried and they were correct; obviously assuming the client is correct as the default response is not done 🙂

I turned to the trusty logs and this is what I found:

Plaintext
2020-01-24 12:18:04,017:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', 'postmaster@domain.co.uk', '--webroot-map', '{"domain.co.uk":"\\/usr\\/local\\/ispconfig\\/interface\\/acme"}']
2020-01-24 12:18:04,019:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-01-24 12:18:04,038:DEBUG:certbot.log:Root logging level set at 20
2020-01-24 12:18:04,039:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-01-24 12:18:04,040:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-01-24 12:18:04,041:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f27c924b9b0>
Prep: True
2020-01-24 12:18:04,042:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f27c924b9b0> and installer None
2020-01-24 12:18:04,043:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2020-01-24 12:18:04,089:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1234, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 605, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 513, in _determine_account
    acc = display_ops.choose_account(accounts)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 86, in choose_account
    "Please choose an account", labels, force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 507, in menu
    self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['server@2019-03-28T11:41:56Z (2087)', 'server@2019-04-01T10:19:10Z (f98d)']
2020-01-24 12:18:04,827:DEBUG:certbot.main:certbot version: 0.31.0
2020-01-24 12:18:04,828:DEBUG:certbot.main:Arguments: ['--domains', 'domain.co.uk']
2020-01-24 12:18:04,829:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-01-24 12:18:04,842:DEBUG:certbot.log:Root logging level set at 20
2020-01-24 12:18:04,843:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

At first glance you could be forgiven for thinking this was a certbot version problem, if of course you hadn’t upgraded to the very latest version and it wasn’t using API v2. Bit in this instance you can see, it is version 0.31.0 and using v02.api.letsencrypt.org. So what is the problem? Well it is a remarkably simple one really, with the clue being in the error “certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting: Please choose an account“.

When certbot upgraded, a new account was created for use with the new version of the API. Or rather a new key (which they call an account) was generated. Unfortunately, the upgrade process also keeps the old key and puts a symlink to it in the v2 directory structure. It seems this isn’t consistently done and I am not entirely sure why it is only “sometimes” but it does it and this server was an unlucky recipient of the erroneous behaviour.

So to solve the problem, you just need to remove the symlink to the old version one account from the v2 account.

V02 Directory:

Plaintext
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/

There should only be one entry in there, remove the symlink and all will be well in your ISPConfig and LetsEncrypt world once more.

Sorry it took so long to write this up and let you all know, work ‘n all that getting in the way.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.